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AMENDMENTS TO THE CLAIMS 
This listing of claims will replace all prior versions and listings of claims in the 
above-identified application: 

Claim 1 (original): A security data packet processing system comprising: 

a transmitting (Tx) direct memory access (DMA) interface (314) receiving a 
streamed security data packet, selecting a channel for processing the streamed security 
data packet and transferring the streamed security data packet to an external memory; 

an input DMA engine (306) retrieving portions of the streamed security data 
packet from the external memory after all portions of the streamed security data packet 
have been transferred to the external memory; 

an input FIFO (308) receiving the portions of the streamed security data packet 
from the input DMA engine (306) in blocks of a predetermined byte size, portions being 
retained in a portion of the input FIFO allocated to the selected channel; 

a context RAM (308) receiving a security association database (SAD) entry 
associated with the selected channel, the SAD entry being retrieved from the external 
memory by the input DMA engine; and 

an input crypto DMA engine (3 1 0) providing the blocks of the security data 
packet to a processing engine for processing. 

Claim 2 (original): The system as claimed in claim 1 flirther comprising: 

an output crypto FIFO (320) receiving processed blocks of the security packet 

from the processing engine; 

an output DMA engine (322) transferring the processed blocks of the security 

packet to an external output memory (158); and 

a receiving (Rx) direct memory access (DMA) interface (324) retrieving the 

processed blocks of the security packet from the external output memory (158) after all 

portions of the processed security data packet have been transferred to the external output 

memory (158), and transferring the processed blocks of the security data packet to a 

streaming interface for streaming* . 
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Claim 3 (original): The system as claimed in claim 2 wherein the receiving (Rx) DMA 
interface (324) includes a plurality of registers storing length information each of a 
plurality of processed security data packets, the receiving (Rx) DMA interface (324) 
performing the retrieving in response to the storing of the length information for an 
associated processed security data packet. 

Claim 4 (original): The system as claimed in claim 1 wherein the context RAM (308) 
includes a portion storing program state information associated with the selected channel. 

Claim 5 (original): The system as claimed in claim 1 wherein the transmitting (Tx) direct 
memory access (DMA) interface (3 14) selects a least busy channel based on an amount 
of buffer space available for a channel in the external memory (156). 

Claim 6 (original): The system as claimed in claim 1 wherein when the security packet is 
an outbound IPSec security packet and wherein an outer header (56) and IPSec header 
(55) are added to the outbound IPSec security packet when portions of the packet are 
buffered in input FIFO (3 08). 

Claim 7 (original): The system as claimed in claim 1 wherein when the security packet is 
an inbound IPSec security packet and wherein an outer header (66) and IPSec header (65) 
are removed from the outbound IPSec security packet prior to portions of the packet 
being buffered in input FIFO (308). 

Claim 8 (currently amended): A method for processing a security data packet 
comprising: 

receiving a streamed security data packet; 

selecting a channel for processing the streamed security data packet; 
transferring the streamed security data packet to an external memory; 



3 



PAGE 6117 ' RCVD AT 5/9/2005 5:47:16 PM [Eastern Daylight Time] * SVR:USPT0<EFXRF-1i1 1 * ONIS:8729306 k CSID;48D3855(t61 * DURATION (mm-ss):05-34 



May. 9. 2005 2:45PM INGRASSIA FISHER & LORENZ PC No. 9520 P. 7' 

Appl. No. 09/880,701 
Amdt. Dated May 9, 2005 
Reply to Office Action of December 15, 2004 

retrieving portions of the streamed security data packet from the external memory 
after all portions of the streamed security data packet have been transferred to the 
external memory; 

transferring the portions of the streamed security data packet in an input FIFO 
(308) from an input DMA engine (306) in blocks of a predetermined byte size, portions 
being retained in a portion of the input FIFO allocated to the selected channel; 

receiving at a context PAM RAM (308), a security association database (SAD) 
entry associated with the selected channel, the SAD entry being retrieved from the 
external memory by the input DMA engine; and 

providing to an input crypto DMA engine (310) the blocks of the security data 
packet to a processing engine for processing. 

Claim 9 (original): The method as claimed in claim 8 further comprising: 

receiving by an output crypto FIFO (320), processed blocks of the security packet 
from the processing engine; 

transferring by an output DMA engine (322) the processed blocks of the security 
packet to an external output memory (158); 

retrieving by a receiving (Rx> direct memory access (DMA) interface (324) the 
processed blocks of the security packet from the external output memory (158) after all 
portions of the processed security data packet have been transferred to the external output 
memory (158); and 

transferring the processed blocks of the security data packet to a streaming 
interface for streaming. 

Claim 10 (original): The method as claimed in claim 9 further comprising storing length 
information for each of a plurality of processed security data packets in one of a plurality 
of registers of the receiving (Rx) DMA interface (324), and wherein the receiving (Rx) 
DMA interface (324) performs the retrieving in response to the storing of the length 
information for an associated processed security data packet, 
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Claim 1 1 (original): The method as claimed in claim 8 further comprising storing 
program state information associated with the selected channel in a portion of the context 
RAM (308) for the selected channel. 

Claim 12 (original): The method as claimed in claim 8 further comprising selecting a 
least busy channel based on an amount of buffer space available for a channel in the 
external memory (1 56), the selecting being performed by the transmitting (Tx) DMA 
interface (3 14). 

Claim 13 (original): The method as claimed in claim 8 wherein when the security packet 
is an outbound IPSec security packet, the method further comprises adding an outer 
header (56) and IPSec header (55) to the outbound IPSec security packet when portions 
of the packet are buffered in input FIFO (308). 

Claim 14 (original): The method as claimed in claim 8 wherein when the security packet 
is an inbound IPSec security packet, the method further comprises removing an outer 
header (66) and IPSec header (65) from the outbound IPSec security packet prior to 
portions of the packet being buffered in input FIFO (308). 

Claim 1 5 (original): A method of processing an IPSec security protocol packet, the 
IPSec security protocol packet comprising an IPSec header, the method comprising: 

buffering an IPSec security protocol packet in an external memory; 

reading portions of the buffered IPSec security protocol packet into a first local 
buffer, the portions having a predetermined number of bytes; 

verifying header information of the IPSec security protocol packet; 

reading a security association database (SAD) entry into the first local buffer; 

processing the IPSec security protocol packet based on information in the SAD 
entry; and 

storing the processed IP Sec security protocol packet in an external memory. 
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Claim 16 (original): The method as claimed in claim 15 further comprising parsing the 
IPSec header to retrieve a pointer to the SAD entry. 

Claim 1 7 (original): The method as claimed in claim 1 5 wherein prior to the processing 
step, the method includes prepending control information to the IPSec security protocol 
packet based on information the SAD entry, the control information for use in the 
processing step. 

Claim 18 (original): The method as claimed in claim 15 wherein the processing step 
includes performing a cryptographic operation on the IPSec security protocol packet, the 
cryptographic operation comprising either a decryption function or an authentication 
function when the IPSec security protocol packet is an inbound packet, and an encryption 
operation when the IPSec security protocol packet is an outbound packet. 

Claim 19 (original}: The method as claimed in claim 15 further comprising selecting a 
least busy channel of a plurality of channels for processing the EPSec security protocol 
packet, and wherein the external memory has a portion associated with least busy 
channel. 

Claim 20 (original): The method as claimed in claim 15 wherein after the processing 
step, the method includes buffering the processed IPSec security protocol packet in a 
buffer allocated to the channel selected for the packet 

Claim 21 (original): The method as claimed in claim 1 5 further comprising performing a 
security policy check on the processed IPSec security protocol packet* the security policy 
check comprising verifying that an IP source address is within a range of addresses 
identified by the SAD entry* 
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Claim 22 (original): The method as claimed in claim 1 5 further comprising performing 
an anti-replay check on the processed IPSec security protocol packet, and updating a 
current byte count and anti-replay fields of the SAD entry. 

Claim 23 (original): An application specific integrated circuit for processing IPSec 
security protocol packets comprising: 

a first streaming interface communicating with a network processor over a 
streaming interface and receiving a streamed packet; 

an input buffer storing portions of the streamed packet along with control 
information for the packet; 

a crypto core engine performing IPSec cryptographic operations on the packet in 
accordance with the control information; 

an output buffer storing processed portions of the streamed packet; and 

a second streaming interface receiving the processed portions of the streamed 
packet from the output buffer and providing the network processor a processed IPSec 
packet over the streaming interface. 

Claim 24 (original): The ASIC as claimed in claim 23 wherein the streaming interface 
selects a channel from a plurality of channels for processing the streamed packet, and 
wherein the input buffer and output buffer each have a portion thereof associated with 
each channel. 

Claim 25 (original): The ASIC as claimed in claim 24 further comprising a plurality of 
processing cores, each processing core associated with one of the channels and 
controlling the processing of an IPSec packet through the associated channel. 

Claim 26 (original): A method of processing data packets for implementing a security 
protocol, the method comprising: 
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receiving at a first streaming interface an IP data packet from a network 
processor, the IP data packet including a security association database (SAD) tag 
prepended thereto; 

moving at least portions of the IP data packet in a first portion of a first buffer; 
reading an SAD entry corresponding to the SAD tag into a second portion of the 
first buffer, 

prepending control information to the IP data packet; 

processing the IP data packet by performing a cryptographic operation on the IP 
data packet to generate a security protocol data packet; and 

streaming the security protocol data packet from a second streaming interface to 
the network processor for transmission through the network. 

Claim 27 (original): The method as claimed in claim 26 wherein the security header and 
outer IP header are based on information from the corresponding SAD entry. 

Claim 28 (original): The method as claimed in claim 27 wherein the security protocol is 
an JPSec protocol, and wherein the security header is an IPSec header, and wherein the 
security protocol data packet is formatted in accordance with an IPSec security protocol. 

Claim 29 (original): The method as claimed in claim 26 wherein the cryptographic 
operation comprises either an encryption or authentication cryptographic operation, and 
wherein the method further comprising storing at least portions of the security protocol 
data packet in a second buffer. 

Claim 30 (original): The method as claimed in claim 26 further comprising the input 
streaming interface selecting a least busy channel from a plurality of channels for 
processing the IP data packet. 

Claim 31 (original): The method as claimed in claim 26 further comprising, prior to the 
reading, obtaining a semaphore for the SAD entry to prevent modification of data within 
the SAD entry by other channels. 
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Claim 32 (original): The method as claimed in claim 3 1 further comprising, subsequent 
to the reading, updating a byte count and sequence number in the SAD entry. 

Claim 33 (original): The method as claimed in claim 26 wherein the storing comprises 
buffering the portions of the security protocol data packet, the portions comprising a 
predetermined number of bytes. 

Claim 34 (original): The method as claimed in claim 26 wherein the control information 
identifies an algorithm and key for the cryptographic operation to apply to the IP data 
packet 

Claim 35 (original): The method as claimed in claim 26 fUrther comprises checking a 
path maximum transmission unit (PMTU) value of the IP data packet including the 
security header and the outer IP header as prepended to the IP data packet to determine 
when the PMTU value exceeds a PMTU value for a tunnel through which the security 
protocol data packet is destined. 

Claim 36 (original): The method as claimed in claim 26 wherein the processing is 
performed by a crypto engine and wherein subsequent to the processing, the method 
further comprises prepending status information to the security protocol data packet, the 
status information being generated by the processing and identifying when the crypto 
engine detects an error. 

Claim 37 (original): The method as claimed in claim 26 wherein the streaming is 
performed when all portions of the security protocol data packet are stored in a second 
buffer. 
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